A threat management facility that remotely stores global reputation information for network content can be used in combination with a recognition engine such as a machine learning classifier that is locally deployed on endpoints within an enterprise network. More specifically, the recognition engine can locally evaluate reputation for a network address being accessed by an endpoint, and this reputation information can be used to dynamically establish a timeout for a request from the endpoint to the threat management facility for corresponding global reputation information.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer program product comprising computer executable code embodied on a non-transitory computer readable medium that, when executing on an endpoint, performs the steps of: intercepting a request for content from a browser executing on the endpoint, the request including a Uniform Resource Locator that identifies a recipient for the request on a data network; applying a machine learning classifier locally on the endpoint to estimate a risk associated with the Uniform Resource Locator; transmitting a lookup request for the Uniform Resource Locator from the endpoint to a remote threat management facility; determining a timeout for a response from the remote threat management facility to the lookup request based on the risk determined by the machine learning classifier, the timeout providing a window of limited duration for receiving the response at the endpoint; when the response is received within the window provided by the timeout, processing the request for content according to the response from the remote threat management facility; and when the response is not received within the window provided by the timeout, processing the request for content using a default local rule on the endpoint.
2. The computer program product of claim 1 wherein processing the request for content includes blocking retrieval of the content.
3. The computer program product of claim 1 wherein processing the request for content includes scanning the content for malware.
4. The computer program product of claim 1 wherein processing the request for content includes executing the content.
5. A system comprising: an endpoint associated with an enterprise network, the endpoint including a computing device comprising a memory and a processor; an endpoint security agent executing on the processor based on instructions in the memory, the endpoint security agent including a recognition engine for evaluating riskiness of a network address, and the endpoint security agent configured to determine a risk value for network communications of the endpoint containing the network address using the recognition engine, and to transmit the risk value and a security request for the network address to a remote resource for evaluation; and a threat management facility for the enterprise network, the threat management facility coupled in a communicating relationship with the endpoint and the threat management facility configured to respond to the security request based on the risk value, wherein the threat management facility is configured to prioritize a response to the endpoint relative to one or more other requests from one or more other endpoints based upon the risk value.
6. The system of claim 5 wherein the network communications include content retrieved from the network address, and wherein the threat management facility adjusts a scanning of the content based on the risk value.
7. The system of claim 6 wherein the threat management facility is configured to adjust the scanning by adjusting an amount of the content that is scanned.
8. The system of claim 6 wherein the threat management facility is configured to adjust the scanning by adjusting a size of a library used to identify malware.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 3, 2018
March 17, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.